Flash ctrl changes

.bazelignore

@@ -3,3 +3,4 @@ build
 hw/ip/prim/util/vendor/google_verible_verilog_syntax_py
 sw/vendor/google_googletest
 util/lowrisc_misc-linters
+bazel-airgapped

.bazelrc

@@ -2,23 +2,19 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
+# Enable bzlmod with `MODULE.bazel` and disable the `WORKSPACE` system.
+common --enable_bzlmod
+common --enable_workspace=no
+
 # https://docs.opentitan.org/doc/rm/c_cpp_coding_style/#cxx-version specifies
-build --action_env=BAZEL_CXXOPTS="-std=gnu++14"
-build --cxxopt='-std=gnu++14'
+build --action_env=BAZEL_CXXOPTS="-std=gnu++17"
+build --cxxopt='-std=gnu++17'
 build --conlyopt='-std=gnu11'
 
 # Never strip debugging information so that we can produce annotated
 # disassemblies when compilation mode is fastbuild.
 build --strip='never'
 
-# Override default enablement of flags from @crt//common to control C compiler
-# warnings.
-build --features=-pedantic_warnings
-
-# Enable toolchain hardening features.
-# `guards` adds `unimp` guard instructions after unconditional jumps.
-build --features=guards
-
 # Use --config=disable_hardening to disable hardening to measure the
 # impact of the hardened sequences on code size.
 build:disable_hardening --features=-guards --copt=-DOT_DISABLE_HARDENING=1
@@ -32,7 +28,7 @@ build --workspace_status_command=util/get_workspace_status.sh
 
 # This enables convenient building for opentitan targets with the argument
 # --config=riscv32
-build:riscv32 --platforms=@crt//platforms/riscv32:opentitan
+build:riscv32 --platforms=@//toolchain:opentitan_platform
 
 # These options are required to build `cc_fuzz_test` targets. Enable with
 # --config=asan-libfuzzer
@@ -42,37 +38,27 @@ build:asan-libfuzzer --@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing//fuzzing
 build:asan-libfuzzer --@rules_fuzzing//fuzzing:cc_engine_instrumentation=libfuzzer
 build:asan-libfuzzer --@rules_fuzzing//fuzzing:cc_engine_sanitizer=asan
 
-# Shared configuration for clang's source-based coverage instrumentation.
-# Bazel seems to support this only partially, thus we have to perform some
-# additional processing. See
-# https://github.com/bazelbuild/bazel/commit/21b5eb627d78c09d47c4de957e9e6b56a9ae6fad
-# and `util/coverage/coverage_off_target.py`.
-build:ot_coverage --repo_env='CC=clang'
-build:ot_coverage --repo_env='BAZEL_USE_LLVM_NATIVE_COVERAGE=1'
-build:ot_coverage --java_runtime_version='remotejdk_11'
-# Docs state that bazel will fail to create coverage information if tests have
-# been cached previously. See
-# https://bazel.build/configure/coverage?hl=en#remote-execution
-coverage:ot_coverage --nocache_test_results
-
-# Configuration for measuring off-target coverage. Enable with
-# `--config=ot_coverage_off_target`.
-build:ot_coverage_off_target --config='ot_coverage'
-build:ot_coverage_off_target --collect_code_coverage
-coverage:ot_coverage_off_target --repo_env='GCOV=/usr/bin/llvm-profdata'
-coverage:ot_coverage_off_target --repo_env='BAZEL_LLVM_COV=/usr/bin/llvm-cov'
-
-# Configuration for measuring on-target coverage. Enable with
-# `--config=ot_coverage_on_target`.
-build:ot_coverage_on_target --config='ot_coverage'
-build:ot_coverage_on_target --platforms="@crt//platforms/riscv32:opentitan"
-build:ot_coverage_on_target --define='measure_coverage_on_target=true'
-# Instrument selectively to limit size overhead when measuring on-target coverage.
-# Note: We have to disable optimizations until the corresponding item in #16761 is
-# resolved.
-build:ot_coverage_on_target --per_file_copt='//sw/device/silicon_creator[/:].*,//sw/device/lib/base:.*@-fprofile-instr-generate,-fcoverage-mapping,-O0'
-# Needed to be able to build host binaries while collecting coverage.
-coverage:ot_coverage_on_target --platforms=""
+# Configuration for clang's source-based coverage instrumentation.
+coverage:ot_coverage --java_runtime_version='remotejdk_11'
+coverage:ot_coverage --instrumentation_filter="^//sw/device"
+coverage:ot_coverage --repo_env='BAZEL_USE_LLVM_NATIVE_COVERAGE=1'
+coverage:ot_coverage --experimental_use_llvm_covmap
+coverage:ot_coverage --experimental_generate_llvm_lcov
+coverage:ot_coverage --combined_report=lcov
+
+# Set coverage mode indicators
+coverage:ot_coverage --define='ot_coverage_enabled=true'
+coverage:ot_coverage --@rules_rust//:extra_rustc_flag='--cfg=feature="ot_coverage_enabled"'
+coverage:ot_coverage --@rules_rust//:extra_exec_rustc_flag='--cfg=feature="ot_coverage_enabled"'
+coverage:ot_coverage --//rules/coverage:enabled_flag
+coverage:ot_coverage --copt='-DOT_COVERAGE_ENABLED=1'
+
+# Host-side toolchain flags for unit tests
+# https://github.com/bazelbuild/bazel/blob/release-8.0.1/src/test/shell/bazel/bazel_coverage_cc_test_llvm.sh#L59-L64
+coverage:ot_coverage --repo_env='BAZEL_LLVM_COV=llvm-cov'
+coverage:ot_coverage --repo_env='BAZEL_LLVM_PROFDATA=llvm-profdata'
+coverage:ot_coverage --repo_env='CC=clang'
+coverage:ot_coverage --repo_env='GCOV=llvm-profdata'
 
 # Disable ccache if it happens to be installed
 build --define=CCACHE_DISABLE=true
@@ -134,7 +120,7 @@ build --@rules_rust//rust/toolchain/channel=nightly
 # Configure the rust 'clippy' linter.
 build --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect
 build --output_groups=+clippy_checks
-build --@rules_rust//:clippy_flags="-Aclippy::bool_assert_comparison,-Aclippy::uninlined_format_args,-Wclippy::undocumented_unsafe_blocks,-Dwarnings"
+build --@rules_rust//:clippy_flags="-Aclippy::bool_assert_comparison,-Aclippy::uninlined_format_args,-Aclippy::needless_lifetimes,-Aclippy::precedence,-Wclippy::undocumented_unsafe_blocks,-Dwarnings"
 
 # Configure the module ID check.
 build --aspects=rules/quality.bzl%modid_check_aspect
@@ -148,3 +134,10 @@ build --flag_alias=ckms_cert_endorsement=//sw/device/silicon_creator/manuf/skus/
 
 # cquery output option.
 cquery --output=files
+
+common --legacy_external_runfiles
+
+# We have Verilator DPIs that use pseudoterminals, so we need to be able to use
+# these when running sandboxed tests.
+test --sandbox_explicit_pseudoterminal
+run --sandbox_explicit_pseudoterminal

.bazelversion

@@ -1 +1 @@
-6.2.1
+8.0.1

.gitattributes

@@ -26,3 +26,6 @@ sw/**/*.md  doc
 sw/**/*.svg doc
 sw/**/*.jpg doc
 sw/**/*.png doc
+
+# Generated lock files
+MODULE.bazel.lock linguist-generated=true

.github/CODEOWNERS

@@ -57,4 +57,4 @@ COPYING*            @mundaym
 
 # CI and testing
 /ci/                @rswarbrick
-azure-pipelines.yml @rswarbrick
+/.github            @rswarbrick

.github/actions/download-partial-build-bin/action.yml

@@ -0,0 +1,31 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Download partial build-bin artifacts
+description:  Download partial build-bin and merge them
+
+inputs:
+  job-patterns:
+    description: Glob patterns of jobs to download artifact from
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Download partial build bins
+      uses: actions/download-artifact@v4
+      with:
+        pattern: partial-build-bin-${{ inputs.job-patterns }}
+        path: downloads
+    - name: Extract and merge bins
+      shell: bash
+      run: |
+        mkdir -p build-bin
+        find downloads -name "build-bin.tar" -exec \
+          tar -C build-bin --strip-components=1 -xvf {} \;
+        rm -rf downloads
+    - name: Show all downloads files
+      shell: bash
+      run: |
+        find build-bin

.github/actions/prepare-env/action.yml

@@ -0,0 +1,158 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Prepare environment
+description: Install dependencies and prepare environment needed for OpenTitan
+
+inputs:
+  service_account_json:
+    description: Service account JSON for Google Cloud access
+    default: ''
+  verilator-version:
+    description: Verilator version to install
+    required: true
+    default: '4.210'
+  verilator-path:
+    description: Path at which to install Veriltator
+    required: true
+    default: /tools/verilator
+  verible-version:
+    description: Verible version to install
+    required: true
+    default: 'v0.0-3622-g07b310a3'
+  verible-path:
+    description: Path at which to install Verible
+    required: true
+    default: /tools/verible
+  configure-bazel:
+    description: Configure Bazel to use remote cache
+    required: true
+    default: true
+  working-directory:
+    description: Working directory
+    default: ${{ github.workspace }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install system dependencies
+      run: |
+        sudo apt update
+        grep '^[^#]' apt-requirements.txt | xargs sudo apt install -y
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+
+    - uses: astral-sh/setup-uv@v3
+      with:
+        version: '0.4.20'
+        enable-cache: true
+        cache-dependency-glob: |
+          ${{ inputs.working-directory }}/pyproject.toml
+          ${{ inputs.working-directory }}/python-requirements.txt
+
+    - name: Install Python
+      shell: bash
+      run: |
+        uv python install 3.9
+        # Create a virtual environment for UV
+        uv venv ~/.local/share/venv
+        echo "$HOME/.local/share/venv/bin" >> "$GITHUB_PATH"
+        echo "VIRTUAL_ENV=$HOME/.local/share/venv" >> "$GITHUB_ENV"
+      working-directory: ${{ inputs.working-directory }}
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        uv pip install -r python-requirements.txt --require-hashes
+      working-directory: ${{ inputs.working-directory }}
+
+    - name: Install Verilator
+      run: |
+        VERILATOR_TAR="verilator-v${{ inputs.verilator-version }}.tar.gz"
+        VERILATOR_URL="https://storage.googleapis.com/verilator-builds/${VERILATOR_TAR}"
+        sudo mkdir -p "${{ inputs.verilator-path }}"
+        curl -sSfL "$VERILATOR_URL" | sudo tar -C "${{ inputs.verilator-path }}" -xvzf -
+        echo "${{ inputs.verilator-path }}/v${{ inputs.verilator-version }}/bin" >> "$GITHUB_PATH"
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+
+    - name: Install Verible
+      run: |
+        VERIBLE_TAR="verible-${{ inputs.verible-version }}-linux-static-x86_64.tar.gz"
+        VERIBLE_URL="https://github.com/chipsalliance/verible/releases/download/${{ inputs.verible-version }}/${VERIBLE_TAR}"
+        sudo mkdir -p "${{ inputs.verible-path }}"
+        curl -sSfL "$VERIBLE_URL" | sudo tar -C "${{ inputs.verible-path }}" -xvzf - --strip-components=1
+        # Fixup bin permission which is broken in tarball.
+        sudo chmod 755 "${{ inputs.verible-path }}/bin"
+        echo "${{ inputs.verible-path }}/bin" >> "$GITHUB_PATH"
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+
+    # Log into Google Cloud using service account JSON.
+    # This can't be Workload Identity Federation because Bazel performance using WIF is terrible.
+    # This needs access to secrets and thus doesn't work for pull request.
+    - uses: google-github-actions/auth@v2
+      id: google_auth
+      if: github.event_name != 'pull_request' && inputs.service_account_json != ''
+      with:
+        credentials_json: '${{ inputs.service_account_json }}'
+
+    # The above action creates a credential file in workspace and it doesn't provide a way to configure
+    # it. This influences with a few scripts that assume clean workspace, and introduce security risk
+    # that it may be exposed when uploading to buckets.
+    - name: Move Google credentials out from workspace
+      if: github.event_name != 'pull_request' && inputs.service_account_json != ''
+      run: |
+        SOURCE=${{ steps.google_auth.outputs.credentials_file_path }}
+        TARGET=${{ runner.temp }}/$(basename "$SOURCE")
+        mv $SOURCE $TARGET
+        echo "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=$TARGET" >> $GITHUB_ENV
+        echo "GOOGLE_APPLICATION_CREDENTIALS=$TARGET" >> $GITHUB_ENV
+        echo "GOOGLE_GHA_CREDS_PATH=$TARGET" >> $GITHUB_ENV
+      shell: bash
+
+    - uses: google-github-actions/setup-gcloud@v2
+      if: github.event_name != 'pull_request' && inputs.service_account_json != ''
+
+    - name: Configure ~/.bazelrc
+      if: inputs.configure-bazel == 'true'
+      run: |
+        cp ci/.bazelrc ~/.bazelrc
+        # Inject the OS version into a parameter used in the action key computation to
+        # avoid collisions between different operating systems in the caches.
+        # See #14695 for more information.
+        echo "build --remote_default_exec_properties=OSVersion=\"$(lsb_release -ds)\"" >> ~/.bazelrc
+
+        if ${{ github.event_name != 'pull_request' && inputs.service_account_json != '' }}; then
+          echo "Will upload to the cache." >&2
+          echo "build --google_default_credentials" >> ~/.bazelrc
+        else
+          echo "Download from cache only." >&2
+          echo "build --remote_upload_local_results=false" >> ~/.bazelrc
+        fi
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+
+    - name: Install merge-junit
+      run: |
+        MERGE_JUNIT_PATH="/tools/merge-junit"
+        MERGE_JUNIT_TAR="merge-junit-v0.2.1-x86_64-unknown-linux-musl.tar.gz"
+        MERGE_JUNIT_URL="https://github.com/tobni/merge-junit/releases/download/v0.2.1/${MERGE_JUNIT_TAR}"
+        MERGE_JUNIT_SHA256="5c6a63063f3a155ea4da912d5cae2ec4a89022df31d7942f2aba463ee4790152"
+
+        curl -fLSs -o "/tmp/${MERGE_JUNIT_TAR}" "$MERGE_JUNIT_URL"
+        HASH=$(sha256sum "/tmp/$MERGE_JUNIT_TAR" | awk '{print $1}')
+        if [[ "$HASH" != "$MERGE_JUNIT_SHA256" ]]; then
+          echo "The hash of merge-junit does not match" >&2
+          echo "$HASH != $MERGE_JUNIT_SHA256" >&2
+          exit 1
+        fi
+
+        sudo mkdir -p $MERGE_JUNIT_PATH
+        sudo chmod 777 $MERGE_JUNIT_PATH
+        tar -C $MERGE_JUNIT_PATH -xvzf "/tmp/${MERGE_JUNIT_TAR}" --strip-components=1
+        echo $MERGE_JUNIT_PATH >> "$GITHUB_PATH"
+        rm "/tmp/${MERGE_JUNIT_TAR}"
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}

.github/actions/publish-bazel-test-results/action.yml

@@ -0,0 +1,58 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish Bazel test results
+description: Merge Bazel test results and publish the report
+
+inputs:
+  merged-results:
+    description: Path to place merged JUnit report
+    default: test_results.xml
+  artifact-name:
+    description: Name of uploaded artifact. Leave empty to skip upload.
+    default: ''
+  bucket-destination:
+    description: GCP bucket destination to upload report to.
+    default: ''
+
+runs:
+  using: composite
+  steps:
+    # Bazel produce one xml for each test. Merge them together.
+    - name: Merge JUnit reports
+      shell: bash
+      run: |
+        if find -L bazel-out -name "test.xml" | grep -F '' >> /tmp/test-xmls; then
+          cat /tmp/test-xmls | xargs merge-junit -o "${{ inputs.merged-results }}"
+        else
+          # merge-junit doesn't handle 0 inputs.
+          echo '<?xml version="1.0" encoding="UTF-8"?><testsuites/>' >> "${{ inputs.merged-results }}"
+        fi
+
+    - name: Add hostname to testsuites
+      shell: bash
+      run: |
+        xmlstarlet ed --inplace -i '/testsuites/testsuite' -t attr -n hostname -v "${{ runner.name }}" "${{ inputs.merged-results }}"
+
+    - name: Upload report as artifact
+      if: inputs.artifact-name != ''
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.artifact-name }}
+        path: ${{ inputs.merged-results }}
+        # In case this is from a re-run
+        overwrite: true
+
+    - name: Upload report to Google Cloud
+      if: inputs.bucket-destination != ''
+      shell: bash
+      run: |
+        gcloud storage cp "${{ inputs.merged-results }}" "gs://${{ inputs.bucket-destination }}"
+
+    - name: Publish job summary
+      uses: mikepenz/action-junit-report@ec3a351c13e080dc4fa94c49ab7ad5bf778a9668 # v5
+      with:
+        report_paths: ${{ inputs.merged-results }}
+        annotate_only: true
+        detailed_summary: true